How the Great Firewall discovers hidden circumvention servers. Roya Ensafi David Fifield Philipp Winter Nick Weaver Nick Feamster Vern Paxson

Transcription

1 How the Great Firewall discovers hidden circumvention servers Roya Ensafi David Fifield Philipp Winter Nick Weaver Nick Feamster Vern Paxson

2 Much already known about GFW Numerous research papers and blog posts Open access library: censorbib.nymity.ch We know... What is blocked How it is blocked Where the GFW is, topologically Unfortunately, most studies are one-off Continuous measurements challenging

3 Many domains are blocked Client in China DNS resolver outside China DNS request for

4 Many domains are blocked Client in China DNS resolver outside China DNS request for

5 Many domains are blocked Client in China DNS resolver outside China DNS request for facebook is at

6 Many domains are blocked Client in China DNS resolver outside China facebook: DNS request for facebook is at

7 Many keywords are blocked Client in China Web server outside China GET / HTTP/1.1 Host: site.com

8 Many keywords are blocked Client in China Web server outside China GET / HTTP/1.1 Host: site.com

9 TCP reset Many keywords are blocked Client in China Web server outside China GET / HTTP/1.1 Host: site.com

10

11 Encryption reduces blocking accuracy Client in China Server in Germany Encrypted connection HTTPS? VPN? Tor?

12 Encryption reduces blocking accuracy Client in China Server in Germany Encrypted connection HTTPS? VPN? Tor? Port number? Type of encryption? Handshake parameters? Flow information?

13 Censors often test how far they can go

14 Censors often test how far they can go

15 Active Probing

16 Assume an encrypted tunnel Client in China Server in Germany TLS connection

17 1. GFW does DPI Client in China Server in Germany TLS connection

18 1. GFW does DPI Client in China c02bc02fc00ac009 c013c014c012c007 c f a ff TLS connection Server in Germany Cipher list in TLS client hello looks like vanilla Tor!

19 2. GFW launches active probe Client in China Server in Germany TLS connection Active prober Tor handshake

20 2. GFW launches active probe Client in China Server in Germany TLS connection Active prober Tor handshake Tor handshake

21 3. GFW blocks server Client in China Block server Server in Germany TLS connection Yes, it was vanilla Tor! Active prober Tor handshake Tor handshake

22 Our Shadow dataset Clients in China repeatedly connected to bridges under our control Clients in CERNET Tor, obfs2, obfs3 EC2 Tor bridge Tor, obfs2, obfs3 EC2 Tor bridge Clients in UNICOM

23 Our Sybil dataset Redirected 600 ports to Tor port Vanilla Tor bridge in France Client in China

24 Our Sybil dataset Redirected 600 ports to Tor port Vanilla Tor bridge in France Client in China Holy moly, 600 bridges on a single machine!

25 Our Log dataset Web server logs dating back to Jan 2010 Active probes Web server

26 Where are the probes coming from? Collected 16,083 unique prober IP addresses 95% of addresses seen only once Reverse DNS suggests ISP pools Sybil 1,090 Shadow 135 adsl-pool.sx.cn kd.ny.adsl online.tj.cn Majority of probes come from three Log 14,802 autonomous systems ASN 4837, 4134, and 17622

27 Where are the probes coming from? Collected 16,083 unique prober IP addresses 95% of addresses seen only once Reverse DNS suggests ISP pools adsl-pool.sx.cn kd.ny.adsl online.tj.cn Majority of probes come from three autonomous systems Sybil 1,090 Log 14,802 Shadow 135 ASN 4837, 4134, and 17622

28 Are probes hijacking IP addresses? While probe is active, no other communication with probe possible Traceroutes time out several hops before destination Port scans say all ports are filtered What do probes have in common? IP TTL IP ID TCP ISN TCP TSval TLS client hello Pcaps online: nymity.ch/active-probing/ IP TCP TLS Tor

29 What do probes have in common? All probes Have narrow IP TTL distribution Use source ports in entire 16-bit port range Exhibit patterns in TCP TSval Does not seem like off-the-shelf networking stack User space TCP stack? IP TCP TLS Tor

30 TCP s initial sequence numbers TCP uses 32-bit initial sequence numbers (ISNs) Protects against off-path attackers Attacker must guess correct ISN range to inject segments Every SYN segment should have random ISN TCP connection Seq = 0x1AF93CBA TCP reset Seq =??? IP TCP TLS Tor

31 What we expected to see

32 What we did see

33 What we did see

34 TLS fingerprint Probes all share uncommon TLS client hello Not running original Tor client No randomly-generated SNI Unique (?) cipher suite Measured on a busy Tor guard relay: Observed 236,101 client hellos over 24 hours Only 67 (0.02%) had identical setup Recorded only client hellos, no IP addresses IP TCP TLS Tor

35 Tor probing Active prober Establish TCP and TLS connection Tor bridge VERSIONS VERSIONS NETINFO Close TCP and TLS connection IP TCP TLS Tor

36 Physical infrastructure State leakage shows that probes are controlled by centralised entity Not clear how central entity controls probes Proxy network? Geographically distributed set of proxy machines Off-path device in ISP s data centre? Machines connected to switch mirror ports

37 Blocking is reliable, but fails predictably

38 In 2012, probes were batch-processed

39 Today, probes are invoked in real-time Median arrival time of only 500 ms Odd, linearly-decreasing outliers

40 Blocked protocols

41 Protocols that are probed or blocked SSH In 2011, not anymore? VPN OpenVPN occasionally SoftEther Tor Vanilla Tor obfs2 and obfs3 AppSpot To find GoAgent? TLS Anything else?

42 Oddities in obfs2 and obfs3 probing Tor probes don t use reference implementations obfs3 padding sent in one segment instead of two Probes sometimes send duplicate payload State leakage?

43 Probe type and frequency since 2013

44 Find your own probes SoftEther: POST /vpnsvc/connect.cgi AppSpot: GET /twitter.com tcpdump host More instructions on nymity.ch/active-probing

45 Trolling the GFW

46 Block list exhaustion for ip_addr in $ip_addrs ; do for port in $(seq ); do timeout 5 tor --usebridges 1 --bridge $ip_addr:$port done done One /24 network can add 16 million blocklist entries

47 File descriptor exhaustion Processes have OS-enforced file descriptor limit Often 1,024, but configurable Every new, open socket brings us closer to limit What s the limit for active probes? Attract many probes and don t ACK data, don t close socket Will GFW be unable to scan new bridges?

48 Make GFW block arbitrary addresses See VPN Gate s innocent IP mixing See censorbib.nymity.ch/#nobori2014a For a while, GFW blindly fetched and blocked IP addresses Add critical IP addresses to server list Windows update servers DNS root servers Google infrastructure GFW operators soon started verifying addresses

49 Circumvention

50 Problems in the GFW s DPI engine DPI engine must reassemble stream before pattern matching TCP stream often not reassembled Server-side manipulation of TCP window size can hide signature Exploited in brdgrd: gitweb.torproject.org/brdgrd.git/ Ambiguities in TCP/IP parsing See censorbib.nymity.ch/#khattak2013a TCP/IP-based circumvention difficult to deploy Hey, how about you run this kernel module for me?

51 Pluggable transports to the rescue SOCKS interface on client Turn Tor into something else Vanilla Tor obfs2 obfs3 Payload Flow Several APIs Python Go C Time

52 Pluggable transports that work in China ScrambleSuit Flow shape polymorphic Clients must prove knowledge of shared secret obfs4 Extends ScrambleSuit Uses Elligator elliptic curve key agreement meek Tunnels traffic over CDNs (Amazon, Azure, Google) FTE Shapes ciphertext based on regular expressions More is in the making! WebRTC-based transport

53 Q&A Roya David Fifield Philipp phw Code, data, and paper: nymity.ch/active-probing/